mcporter

Pass

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx mcporter or npm install -g mcporter to download and run the CLI utility from the npm registry.
  • [COMMAND_EXECUTION]: The mcporter tool can execute arbitrary shell commands via the --stdio flag to start local MCP servers, which is a fundamental feature of the Model Context Protocol.
  • [REMOTE_CODE_EXECUTION]: The skill includes code generation features (generate-cli and emit-ts) that create new executable scripts or TypeScript files based on remote server schemas.
  • [PROMPT_INJECTION]: The skill serves as an interface for external MCP servers, creating an attack surface for indirect prompt injection where untrusted data could influence agent behavior.
  • Ingestion points: Tool outputs and server definitions fetched via mcporter call or mcporter list --schema.
  • Boundary markers: None described in the prompt instructions.
  • Capability inventory: Includes shell command execution (--stdio), network requests, and code generation.
  • Sanitization: No evidence of output filtering or sanitization is provided in the documentation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 16, 2026, 01:45 PM
Security Audit — agent-trust-hub — mcporter